In their letter, Vance and Tillis set a deadline of January 23 for the SEC to elucidate its plans to investigate what happened, among other things.
In a statement, the SEC said it will “work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct,” but provided no further specifics.
In practice, an “alphabet soup of investigations” is likely to ensue, according to John Stark, who served for 18 years as an attorney at the SEC. Those investigations will likely involve separate inquiries conducted by the SEC itself, the US Department of Justice—which will focus on identifying the hacker—and potentially other regulatory bodies. The DOJ did not respond to a request for comment.
The SEC’s internal investigation, says Stark, will likely be conducted by the Office of the Inspector General, independent to the rest of the agency, and will focus instead on any “staff misconduct” that might have enabled the security breach. The findings of what is likely to be a “robust investigation” will be provided to Congress, he says, but not for a number of months.
In July, the SEC imposed new rules on companies that register with the agency, requiring them to disclose material cybersecurity incidents and their “nature, scope, and timing” within four business days. The SEC did not respond when asked whether it will make a preliminary disclosure of this kind.
In the aftermath of the security breach, Gensler—something of a cartoon villain in crypto circles due to his agency’s aggression toward the industry—has faced mockery and calls for his resignation among crypto personalities on X.
It is unlikely, though, says industry analyst Noelle Acheson, formerly of crypto brokerage Genesis, that Gensler will be forced to resign. “I can’t see him letting go of the job,” she says, “unless it’s pried from his grasp.”
“The Twitterverse has been calling for Gensler’s resignation forever. But this isn’t the kind of thing you resign for,” says Stark. “At worst, SEC staff will be found to be guilty of the same thing as a lot of companies: sloppiness with respect to cybersecurity.”
Though an organization like the SEC should be expected to uphold tight security stands, says Stark, who currently works as a cybersecurity consultant, it is impossible to prevent all breaches. “You can do everything you can to stop them,” he says. “But sooner or later, some person screws up.”